Commit c941e32d authored by Mark Andrews's avatar Mark Andrews
Browse files

1819. [bug] The validator needed to check both the algorithm and

                        digest types of the DS to determine if it could be
                        used to introduce a secure zone. [RT #13593]
parent 39c7fc7e
1819. [bug] The validator needed to check both the algorithm and
digest types of the DS to determine if it could be
used to introduce a secure zone. [RT #13593]
1818. [bug] 'named-checkconf -z' triggered an INSIST. [RT #13599]
1817. [placeholder] rt13587
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: ds.c,v 1.4 2004/03/05 05:09:19 marka Exp $ */
/* $Id: ds.c,v 1.5 2005/03/04 03:53:20 marka Exp $ */
#include <config.h>
......@@ -81,3 +81,8 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
return (dns_rdata_fromstruct(rdata, key->rdclass, dns_rdatatype_ds,
&ds, &b));
}
isc_boolean_t
dns_ds_digest_supported(unsigned int digest_type) {
return (ISC_TF(digest_type == DNS_DSDIGEST_SHA1));
}
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: ds.h,v 1.3 2004/03/05 05:09:42 marka Exp $ */
/* $Id: ds.h,v 1.4 2005/03/04 03:53:21 marka Exp $ */
#ifndef DNS_DS_H
#define DNS_DS_H 1
......@@ -51,6 +51,12 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
* to 'buffer'.
*/
isc_boolean_t
dns_ds_digest_supported(unsigned int digest_type);
/*
* Is this digest algorithm supported by dns_ds_buildrdata()?
*/
ISC_LANG_ENDDECLS
#endif /* DNS_DS_H */
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: resolver.h,v 1.41 2004/04/15 23:40:26 marka Exp $ */
/* $Id: resolver.h,v 1.42 2005/03/04 03:53:22 marka Exp $ */
#ifndef DNS_RESOLVER_H
#define DNS_RESOLVER_H 1
......@@ -416,6 +416,12 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
* crypto libraries if not specifically disabled.
*/
isc_boolean_t
dns_resolver_digest_supported(dns_resolver_t *resolver, unsigned int digest_type);
/*
* Is this digest type supported.
*/
void
dns_resolver_resetmustbesecure(dns_resolver_t *resolver);
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: resolver.c,v 1.303 2005/02/08 23:51:31 marka Exp $ */
/* $Id: resolver.c,v 1.304 2005/03/04 03:53:21 marka Exp $ */
#include <config.h>
......@@ -30,6 +30,7 @@
#include <dns/cache.h>
#include <dns/db.h>
#include <dns/dispatch.h>
#include <dns/ds.h>
#include <dns/events.h>
#include <dns/forward.h>
#include <dns/keytable.h>
......@@ -6520,6 +6521,13 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
return (dst_algorithm_supported(alg));
}
isc_boolean_t
dns_resolver_digest_supported(dns_resolver_t *resolver, unsigned int digest) {
UNUSED(resolver);
return (dns_ds_digest_supported(digest));
}
void
dns_resolver_resetmustbesecure(dns_resolver_t *resolver) {
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: validator.c,v 1.126 2005/02/09 05:19:30 marka Exp $ */
/* $Id: validator.c,v 1.127 2005/03/04 03:53:21 marka Exp $ */
#include <config.h>
......@@ -1561,6 +1561,9 @@ dlv_validatezonekey(dns_validator_t *val) {
dns_rdataset_current(val->dlv, &dlvrdata);
(void)dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
if (!dns_resolver_digest_supported(val->view->resolver,
dlv.digest_type))
continue;
if (!dns_resolver_algorithm_supported(val->view->resolver,
val->event->name,
dlv.algorithm))
......@@ -1647,7 +1650,7 @@ dlv_validatezonekey(dns_validator_t *val) {
val->event->rdataset->trust = dns_trust_answer;
val->event->sigrdataset->trust = dns_trust_answer;
validator_log(val, ISC_LOG_DEBUG(3),
"no supported algorithm (dlv)");
"no supported algorithm/digest (dlv)");
return (ISC_R_SUCCESS);
} else
return (DNS_R_NOVALIDSIG);
......@@ -1848,6 +1851,10 @@ validatezonekey(dns_validator_t *val) {
dns_rdataset_current(val->dsset, &dsrdata);
(void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
if (!dns_resolver_digest_supported(val->view->resolver,
ds.digest_type))
continue;
if (!dns_resolver_algorithm_supported(val->view->resolver,
val->event->name,
ds.algorithm))
......@@ -1940,7 +1947,7 @@ validatezonekey(dns_validator_t *val) {
val->event->rdataset->trust = dns_trust_answer;
val->event->sigrdataset->trust = dns_trust_answer;
validator_log(val, ISC_LOG_DEBUG(3),
"no supported algorithm (ds)");
"no supported algorithm/digest (ds)");
return (ISC_R_SUCCESS);
} else
return (DNS_R_NOVALIDSIG);
......@@ -2193,7 +2200,7 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
}
static isc_boolean_t
check_ds_algorithm(dns_validator_t *val, dns_name_t *name,
check_ds(dns_validator_t *val, dns_name_t *name,
dns_rdataset_t *rdataset) {
dns_rdata_t dsrdata = DNS_RDATA_INIT;
dns_rdata_ds_t ds;
......@@ -2205,9 +2212,13 @@ check_ds_algorithm(dns_validator_t *val, dns_name_t *name,
dns_rdataset_current(rdataset, &dsrdata);
(void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
if (dns_resolver_algorithm_supported(val->view->resolver,
name, ds.algorithm))
if (dns_resolver_digest_supported(val->view->resolver,
ds.digest_type) &&
dns_resolver_algorithm_supported(val->view->resolver,
name, ds.algorithm)) {
dns_rdata_reset(&dsrdata);
return (ISC_TRUE);
}
dns_rdata_reset(&dsrdata);
}
return (ISC_FALSE);
......@@ -2385,8 +2396,8 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
} else {
validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
if (val->frdataset.trust >= dns_trust_secure &&
!check_ds_algorithm(val, dns_fixedname_name(&val->fname),
&val->frdataset)) {
!check_ds(val, dns_fixedname_name(&val->fname),
&val->frdataset)) {
if (val->mustbesecure) {
validator_log(val, ISC_LOG_WARNING,
"must be secure failure");
......@@ -2394,7 +2405,7 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
goto out;
}
validator_log(val, ISC_LOG_DEBUG(3),
"no supported algorithm (ds)");
"no supported algorithm/digest (ds)");
val->event->rdataset->trust = dns_trust_answer;
result = ISC_R_SUCCESS;
goto out;
......@@ -2453,10 +2464,9 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
* continue.
*/
if (val->frdataset.trust >= dns_trust_secure) {
if (!check_ds_algorithm(val, tname,
&val->frdataset)) {
if (!check_ds(val, tname, &val->frdataset)) {
validator_log(val, ISC_LOG_DEBUG(3),
"no supported algorithm (ds)");
"no supported algorithm/digest (ds)");
if (val->mustbesecure) {
validator_log(val,
ISC_LOG_WARNING,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment